There is an online submission option and the form uses QR codes to authenticate each individual vote. It would be very easy to write a web service (small software / web application) which would generate every possible QR code configuration and submit it from individual IP addresses to the online form. Of course, this would render the referendum invalid. In security terms, this would be deemed similar to a DDOS attack.

If you submit every combination to the online form there would be no way to tell which were real vs fake

…perhaps this needs investigating before the results are declared on Thursday?

UPDATE: We have received this response …

No, because there are 4 billion public IPv4 addresses in the world, and(at least) 99 billion permutations of the QR code on the Voting Paper.Each attack would have a 1 mil/99 bil (0.00101%) chance of guessing the“correct” QR code. An attacker would run out of IP address well beforebeing able to spoof 1 million votes (~the number of NZers livingoverseas).

If you used all 4 billion IP addresses, you would successfully fakearound 40,000 votes. As well over 1.7 million voting papers have beenreturned(http://www.elections.org.nz/events/referendums-new-zealand-flag-0/voting-second-referendum/voting-statistics), the effect of such an attack on the outcome would probably benegligible.